Vulnerabilities ›

CVE-2021-42287

Critical 🇺🇸 CISA KEV ⚡ Exploit Available

Microsoft Active Directory Domain Services Privilege Escalation Vulnerability — Microsoft Active Directory Domain Services contains an unspecified vulnerability that allows for privilege escalation.

                    Published: Apr 11, 2022                                          ·  Source: CISA_KEV                

CVSS v3

9.0

🔗 NVD Official

📄 Description (English)

🤖 AI Executive Summary

CVE-2021-42287 is a critical privilege escalation vulnerability in Microsoft Active Directory Domain Services (CVSS 9.0) that allows authenticated attackers to escalate privileges within AD environments. This vulnerability poses severe risk to Saudi organizations as AD is the foundational identity and access management system for most enterprises. Exploitation requires network access but no user interaction, making it highly exploitable in compromised environments.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 21, 2026 11:17

🇸🇦 Saudi Arabia Impact Assessment

Critical impact across all Saudi sectors relying on Active Directory: Banking sector (SAMA-regulated institutions, payment processing), Government agencies (NCA, ministries), Healthcare (MOH facilities, private hospitals), Energy sector (ARAMCO, utilities), Telecommunications (STC, Mobily, Zain), and Large enterprises. Successful exploitation enables attackers to gain domain admin privileges, compromise entire IT infrastructure, access sensitive data, and establish persistent backdoors. Saudi critical infrastructure operators face elevated risk of cascading failures.

🏢 Affected Saudi Sectors

Banking & Financial Services Government & Public Administration Healthcare Energy & Utilities Telecommunications Large Enterprises Critical Infrastructure

🎯 MITRE ATT&CK Techniques

T1078 - Valid Accounts T1548 - Abuse Elevation Control Mechanism T1134 - Access Token Manipulation T1098 - Account Manipulation T1556 - Modify Authentication Process T1556.001 - Domain Controller Authentication T1021 - Remote Services T1021.006 - Windows Remote Management

⚖️ Saudi Risk Score (AI)

9.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Apply Microsoft security patches KB5007247 (Windows Server 2016/2019/2022) immediately to all Domain Controllers

2. Prioritize patching in this order: Domain Controllers → Exchange servers → Member servers → Workstations

3. Verify patch installation: Run 'Get-HotFix -Id KB5007247' on all DCs



DETECTION & MONITORING:

4. Enable Advanced Audit Policy: Audit Privilege Use, Audit Account Management, Audit Logon Events

5. Monitor Event ID 4672 (Special Privileges Assigned) and 4688 (Process Creation) for suspicious privilege escalation patterns

6. Deploy SIEM rules to detect unusual Kerberos TGT requests and service ticket anomalies

7. Monitor for lateral movement post-exploitation using network segmentation alerts



COMPENSATING CONTROLS (if immediate patching delayed):

8. Implement strict Group Policy restrictions on service account usage

9. Enable MFA for all privileged accounts and administrative access

10. Restrict network access to Domain Controllers using firewall rules

11. Implement Just-In-Time (JIT) privileged access management

12. Conduct immediate AD security audit for unauthorized privilege escalations

13. Review and revoke unnecessary service account privileges

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تطبيق تصحيحات الأمان من Microsoft KB5007247 (Windows Server 2016/2019/2022) فوراً على جميع Domain Controllers

2. أولويات التصحيح: Domain Controllers → خوادم Exchange → خوادم العضويات → محطات العمل

3. التحقق من التثبيت: تشغيل 'Get-HotFix -Id KB5007247' على جميع DCs

الكشف والمراقبة:

4. تفعيل Advanced Audit Policy: Audit Privilege Use, Audit Account Management, Audit Logon Events

5. مراقبة Event ID 4672 و 4688 للكشف عن أنماط تصعيد امتيازات مريبة

6. نشر قواعد SIEM للكشف عن طلبات Kerberos TGT غير العادية

7. مراقبة الحركة الجانبية باستخدام تنبيهات تقسيم الشبكة

الضوابط البديلة (إذا تأخر التصحيح الفوري):

8. تطبيق قيود Group Policy صارمة على استخدام حسابات الخدمة

9. تفعيل MFA لجميع الحسابات المميزة والوصول الإداري

10. تقييد الوصول للشبكة إلى Domain Controllers باستخدام قواعد جدار الحماية

11. تطبيق إدارة الوصول المميز في الوقت المناسب (JIT)

12. إجراء تدقيق أمان AD فوري للكشف عن تصعيد امتيازات غير مصرح به

13. مراجعة وإلغاء امتيازات حسابات الخدمة غير الضرورية

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.5.1.1 - Access Control Policies ECC 2024 A.5.2.1 - User Registration and De-registration ECC 2024 A.5.3.1 - Access Rights Review ECC 2024 A.8.2.1 - User Access Management ECC 2024 A.9.2.1 - User Responsibility for Password

🔵 SAMA CSF

SAMA CSF ID.AM-1 - Asset Management SAMA CSF PR.AC-1 - Access Control Policy SAMA CSF PR.AC-4 - Access Rights Management SAMA CSF DE.CM-1 - Network Monitoring SAMA CSF RS.MI-2 - Incident Response Procedures

🟡 ISO 27001:2022

ISO 27001:2022 A.5.2 - Information Security Policies ISO 27001:2022 A.6.2 - Access Control ISO 27001:2022 A.8.1 - User Endpoint Devices ISO 27001:2022 A.8.2 - Privileged Access Rights ISO 27001:2022 A.8.3 - Information Access Restriction

🟣 PCI DSS v4.0

PCI DSS 2.1 - Default Passwords PCI DSS 7.1 - Access Control Implementation PCI DSS 8.1 - User ID Assignment PCI DSS 8.2 - Strong Authentication

🔗 References & Sources 0

No references.

📦 Affected Products / CPE 1 entries

Microsoft:Active Directory

📊 CVSS Score

9.0

/ 10.0 — Critical

📋 Quick Facts

Severity Critical

CVSS Score9.0

EPSS94.01%

Exploit ✓ Yes

Patch ✓ Yes

CISA KEV🇺🇸 Yes

KEV Due Date2022-05-02

Published 2022-04-11

Source Feed cisa_kev

🇸🇦 Saudi Risk Score

9.2

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

kev actively-exploited ransomware

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2021-42287

Introduce Yourself

Sign In Required